Slashdot Mirror
Windows Vulnerabilities Revealed, Patched
Saint Aardvark writes "A big MS Windows remote vulnerability has just hit BugTraq. It concerns a buffer overflow in MS' DCOM, and affects Win2k through Server 2003; here's the security advisory from Microsoft. This is in addition to an earlier vulnerability concerning conversion from HTML to RTF - there's a separate security advisory from Microsoft for this one, and it affects Win98 and NT 4.0 through Server 2003. Patch early, patch often." There's also a CNET News story with a little more explanation on the newest vulnerability.
But if you keep port 135 open on your DMZ boxes, you deserve to be hanged with a piece of CAT-5 cable.
They hid this one until they patched it, but in light of the previous post about the US government relying so much on MS software, it makes me uneasy. This exploit let the attacker take control of the PC. Not good if you're running the bad guy database.
Why does MS come out with patches so often?
Probably similar reasons as to why Linux-contributors release patches so often.
Because software has bugs. That's what software is for.
Dacels Jewelers can't be trusted.
It's somewhat funny though that in a closed-source system how people are still finding vulnerabilities. Can you imagine how many vulnerabilities would be found in the first day of Microsoft releasing their source code to the world? I think the number would be staggering.
Could not check the MS one but I am guessing more than 3 of them were OS level patches since there were three just today.
Every one has security vulnerabilities but lets compare apples to apples here.
seSales, Point of Sale software for OS X.
You mean like the remote Samba root exploit that was in the code for something like a decade?
Not a troll, just figure I'd point out that this cuts both ways.
Having said that, Linux beats Windows hands down in my books, for one big reason: I don't even know how to close port 135 on a Windows machine, without killing other services. AFAIK the RPC service is pretty much tied up together, and many applications won't work without it.
Stock Linux install leaves maybe 2 ports open.. oh wait, 0 if you let IPtables do its thing. In Windows, I'm still busy playing whack-a-mole trying to close the 15 or so ports XP insists on listening on.
Or maybe it's easy in Windows, and I've just given up learning how to lock a machine down with every release. Anyone ever figure out how to *permanently* close those idiotic admin shares?
Endless arguments over trivial contradictions in books written by ignorant savages to explain thunder in the dark.
Like the BIND patch. Lest you forget there was, a year ago, that affected all versions. Somehow, despite the fact that it is open source, very old, very widely used and reviewed, a bug still managed to slip through.
When you must expose software to an infinently unknown amount of combinations (of OS, software, hardware but most important user input), you just cannot gaurentee that there will be no unexpected results. The biggest problem is the vairablity of user input. People will try and use things in unexpected, unapproved and malicious ways. Well, when this happens, it is possable an unforseen problem will crop up, despite your best efforts to prevent it.
What I find funny is how outraged people get about this in the computer world, when it is so prevliant elsewhere, with much higher stakes. For example: It is a known flaw with basically every consumer automibile that high speed impacts will result in sever injury or death of the operator. Now, this is an unintended method of operation, you are't SUPPOSED to slam into a brick wall doing 80, but it is a KNOWN problem, and remains un fixed. Further, they could fix, or at least improve, the problem in a large way. The first step would be to install an 8-point racing harness. Those little shoulder strap belts just don't cut it, you need to belt yourself in tighter and have more points of contact to dissapate the force over a larger area. Then there is the car itself. It needs a much better frame and much better break away points, as seen in race cars. Finally, there is other safety gear such as a helmet. Well, as race cars demonstrate, these do work. They make extremely high speed collisons, generally with only minor injuries to the driver.
So, why don't we have this? Two big reasons: Cost and inconvenience. Building a car to race car specs is EXPENSIVE, and not just because teh engine is high performance. That frame is NOT cheap. Then there are other safety measues that are a huge pain in the ass. An 8-point harness is an ordeal to get in and out of and noone want to wear a helmet inside a car. Thus, we consider it acceptable to allow the flaw to exist since it is one resultant of behavious that should not happen.
This is also akin to the computer siutation in that we could drasticly increase reliablity, but only by sacraficing cost and convienece. The cost would come form needing a verified design. Thing would move slowly because each part would need to eb extensively tested to insure there were no problems. This appiles to hardware and software. Kiss $1000 computer goodbye and figure on $10,000 or up. Then there is the inconvienence. They can't have you fiddling with this verified design, so you are going to be able to run only the apps tey ahve preapproved on the hardware they preapprove.
Unless you are willing to accept that (and people do make systems like that, contact IBM) then unforseen bugs and exploits WILL happen. And please don't act like it doesn't happen to OSS, go read SANS or Security Focus some time. There are more than plenty of exploits for both closed and open software.
If your car had a 30% chance of bursting into flames while you were driving it, would you rather know about it now or wait for the recall?
Knowing about a problem even if no solution exists allows you to take measures, like perhaps blocking outside access on certain ports for some time or filtering traffic in specific ways.
Information always beats no information when you are trying to keep something secure.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
Yes, this is /.
Yes, hardly anyone here likes MS and people here love to bash MS whenever they can.
That's fine with me. But almost all software has bugs, and in particular bugs that could be exploited to breach the security of the program. Just because MS has a bug in the RPC code doesn't mean that no one should use their software, or in particular the federal gov't should not.
If this same criterion were required of any software the gov't bought, they would have NO software. Linux is not bug free. Software written for Linux is not bug free. The main difference is, Windows is a much bigger target of attack by every hacker and "security group" in the world because it is the most popular operating system in the world. How would any Linux distribution fare if it and its components were used as widely as Windows, and people spent hours every day _trying_ to pass garbage strings of data to all of its external functions in order to find a buffer overrun? I bet it wouldn't do so hot either, and even if it didn't, that doesn't mean that no one should by that Linux distribution, does it?
PROGRAMS HAVE BUGS. And the more complex the programs, the more they interact with other components, often in ways the original programmers never thought of _or intended_, the more likely bugs will be found. My opinion is, taking cheap shots at MS is easy, but writing good code yourself is hard. We're all human beings here, and the developers who work on Linux and open source programs are no smarter than most who work at MS. People make mistakes. Sometimes people don't think about every possible bogus string parameter someone could pass in just to screw up their program. Most of the time the bugs I find in my and other's code is from components trying to _correctly_ use our code!
Flamebait, troll, whatever. Just because you don't like MS for all the /. reasons doesn't justify what you say.
Peace,
Devin